The document provides instructions for setting up an iOS application testing lab, including recommended hardware, software, and tools for both MacBooks and PCs. It discusses jailbreaking iOS devices to gain root access, installing useful packages and utilities, and exploring application directories and data stores to find vulnerabilities like insecure data storage or client-side injection issues.
Pentesting iPhone Applications - It mainly focuses on the techniques and the tools that will help security testers while assessing the security of iPhone applications.
Fore more info visit - http://www.securitylearn.net
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
Pentesting iPhone Applications - It mainly focuses on the techniques and the tools that will help security testers while assessing the security of iPhone applications.
Fore more info visit - http://www.securitylearn.net
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
Apple iOS Apps are primarily developed in Objective-C, an object-oriented extension and strict superset of the C programming language. Objective-C supports the concepts of reflection, also known as introspection. This describes the ability to examine and modify the structure and behavior (specifically the values, meta-data, properties and functions) of an object at runtime.
This talk discusses the background, techniques, problems and solutions to Objective-C runtime analysis and manipulation. It will be discussed how running applications can be extended with additional debugging and runtime tracing capabilities, and how this can be used to modify instance variables and to execute or replace arbitrary object methods of an App.
Moreover, a new framework to assist dynamic analysis and security assessments of iOS Apps will be introduced and demonstrated.
A workshop about the "dark side" of iOS, Objective-C and Xcode. Discussion about private API, why Apple doesn't want you to use it and how they enforce that. What information can you extract from a compiled binary? Let's take a look at the possibilities of reverse engineering including demos and showcases.
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
As an active security researcher with immense professional expertise in application security, Jason Haddix joins us to explain the common attack vectors that face today’s mobile applications -- from a hacker’s perspective.
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
Apple iOS Apps are primarily developed in Objective-C, an object-oriented extension and strict superset of the C programming language. Objective-C supports the concepts of reflection, also known as introspection. This describes the ability to examine and modify the structure and behavior (specifically the values, meta-data, properties and functions) of an object at runtime.
This talk discusses the background, techniques, problems and solutions to Objective-C runtime analysis and manipulation. It will be discussed how running applications can be extended with additional debugging and runtime tracing capabilities, and how this can be used to modify instance variables and to execute or replace arbitrary object methods of an App.
Moreover, a new framework to assist dynamic analysis and security assessments of iOS Apps will be introduced and demonstrated.
A workshop about the "dark side" of iOS, Objective-C and Xcode. Discussion about private API, why Apple doesn't want you to use it and how they enforce that. What information can you extract from a compiled binary? Let's take a look at the possibilities of reverse engineering including demos and showcases.
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
As an active security researcher with immense professional expertise in application security, Jason Haddix joins us to explain the common attack vectors that face today’s mobile applications -- from a hacker’s perspective.
This talk is going to talk about how I got 50 CVE's in a week. I used to play bug bounties and other security penetration testing challenges. After realization I started contributing to Open Source Community and found several critical bugs and got proper satisfaction for the work. Then I met like minded people and started bug hunter with Code Vigilant (http://codevigilant.com), Project for Securing Open Source Software.
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its TracksAlienVault
Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those within a particular industry. The AlienVault Open Threat Exchange is different. It is one of the first (and most diverse) threat sharing networks, open to any and all who wish to join. And, free services like new ThreatFinder help make the threat data in OTX available and actionable by all. Join AlienVault VP of Product Strategy, Russ Spitler, and Systems Engineer, Tom D'Aquino for a practical session covering how to use OTX to improve network security.
Russ & Tom will cover:
How threat intelligence is gathered and vetted in the Open Threat Exchange
How to use the threat data provided by OTX free services
Examples of the types of threats you can identify with OTX
Best practices to investigate and mitigate threats, including a quick tour of AlienVault USM
How Android and iOS Security Enhancements Complicate Threat DetectionNowSecure
This is an encore presentation of NowSecure CEO Andrew Hoog’s talk “How Android and iOS Security Enhancements Complicate Threat Detection” from RSA Conference 2017. You'll learn about:
+ Five security enhancements in the Android and iOS platforms that present obstacles to defenders and incident responders
+ Tips on overcoming those challenges
+ The open-source Mobile Triage toolset that facilitates the collection of mobile threat and vulnerability data
iOS Security: The Never-Ending Story of Malicious ProfilesYair Amit
iOS is probably the most security mobile operating system nowadays. However, is it enough? Last year, we identified the malicious profiles attack, which leverages features of iOS to grant remote hackers deep control over victim’s devices. This presentation reviews recent threats, their evolvements and uncover a new vulnerability that makes it possible to effectively conceal attacks.
"With over a billion active devices and in-depth security protections spanning every layer from silicon to software, Apple works to advance the state of the art in mobile security with every release of iOS. We will discuss three iOS security mechanisms in unprecedented technical detail, offering the first public discussion of one of them new to iOS 10
HomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user data – controlling devices (including locks) in the user's home, the ability to unlock a user's Mac from an Apple Watch, and the user's passwords and credit card information, respectively. We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.
Data Protection is the cryptographic system protecting user data on all iOS devices. We will discuss the Secure Enclave Processor present in iPhone 5S and later devices and explain how it enabled a new approach to Data Protection key derivation and brute force rate limiting within a small TCB, making no intermediate or derived keys available to the normal Application Processor.
Traditional browser-based vulnerabilities are becoming harder to exploit due to increasingly sophisticated mitigation techniques. We will discuss a unique JIT hardening mechanism in iOS 10 that makes the iOS Safari JIT a more difficult target."
(Source: Black Hat USA 2016, Las Vegas)
Penetration testing reporting and methodologyRashad Aliyev
This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations.
We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.
This Whiteboard Wednesday video is on DREAD as a reporting methodology as it pertains to penetration testing. Rene Aguero, Senior Sales Engineer for Rapid7 will dive into the DREAD and why he thinks that every pen tester should use DREAD as a reporting methodology when pen testing. Check out the video to learn more!
For more Whiteboard Wednesday videos, click here: http://www.rapid7.com/resources/videos/
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
Talk from SyScan 2015 about Apple Security failing to patch vulnerabilities over and over again, because they have apparently no QA at all on security patches.
Talk feito no CocoaHeads RJ edição Novembro/2015 sobre Segurança no desenvolvimento de aplicativos iOS, considerando Persistência, Comunicação e Segurança do Código.
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.
Tizen IVI (in-vehicle infotainment)
Tizen Mobile
Tizen TV, and
Tizen Wearable
Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.
The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen.
For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc.
Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.
This topic will cover key concepts in android application security testing by employing a variety of tools and techniques to fasten the testing process.
This was presented at Null Bangalore Chapter (Saturday April 26 2014, 11:00 AM)
USB Drive Disabler is an application developed in C#.net framework which allows you to block all USB storage devices from accessing your computer.
Instead of blocking the USB devices with Registry command, we can use this application which can make less time requirement, avoid unwanted doubts and sometimes it can also cause data loss in pen drive.
This slide deck covers the automated & manual static code discovery of Android Application using opensource tools, Reverse engineering of apk file and Secure code review
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)TestDevLab
A presentation about security of mobile apps by our senior quality assurance engineer Kristaps Felzenbergs. It was presented at TAPOST 2017 software testing conference.
First app on Samsung Smart TV - WarsawJS Meetup #1Piotr Kowalski
Video: https://www.youtube.com/watch?v=2ktpOVFQOe8
First steps how create first application on Samsung Smart TV platform. Presentation preparing fo my first speech at WarsawJS - new organization about JavaScript.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
2. @jhaddix
I work at Fortify On Demand
We assess a lot of mobile apps
http://goo.gl/cjd3JF
Me
3. iDevice apps are downloaded via
the appstore or given to you by
the customer. They are an
extension .ipa which is just a zip
file. Your idevice unzips them,
handles crypto and signing magic
and deploys them to their own
sandboxed directory.
ZOMG 2hrs!?!!???!?
4. A jailbroken iDevice?
SSHed into their device before?
Proxied a mobile app or used
Burp Suite before?
Lets Play “Who has?”
7. • Software for MacBook
o Xcode with developer utils
o USBMux Python package
o iTunes
o Burp Suite
o Wireshark
o Hopper Disassembler
o iFunBox
o Filezilla
o libimobiledevice
MacBook Software
8. • Software for PC
o iFunBox
o iExplorer
o Apple Configuration Utility
o USBMux Python package
o iTunes
o Burp Suite
o SSH/SCP Client (I use Bitvise)
o Plist editor pro
o SQL Database Browser
o SQLite Expert Professional
o Wireshark ++ Tshark
o Python
o Java
o IDA Pro
PC Software
11. • Get us a shell!
o A jailbreak is a set of exploits designed to give us full control over
the device. Also installs the Cydia appstore.
o A combination of userland exploits ,kernel exploits, and iOS API
trickery.
o Current JB is Evasion 7.1 or Pangu 7.1.2
Jailbreaking
12. 1. Open and update cydia
2. Install OpenSSH
• In safari -
apptapp://package/openssh
Then
Post Jailbreak
14. 1. Get USB mux installed
1. This way you don’t need a network
Not iPad Software
ECHO
OFF
::CMD
will
no
longer
show
us
what
command
it’s
execu<ng(cleaner)
ECHO
USB
MUX
Connec<on!
Python27python.exe
usbmuxd-‐1.0.8python-‐clienttcprelay.py
-‐t
22:2222
15. 1. Now you have a functioning *nix environment on your
iPad.
2. A Lab Mac
3. A Lab PC
Let talk about what we are looking for!
Now you have *NIX
17. 1. We live in userland
2. We still have fun
3. Remember, it’s for the customer
We test Apps
18. On the iDevice, once installed, the IPA
file (remember just a zip) is extracted to
the applications sandboxed folder:
/var/mobile/Applications/APPGUID/
Where Apps live
19. Use the IPA Installer Console (or appcake)
to install apps that you have IPAs for:
Appcake IPAs must be dropped in:
/var/mobile/Media/Appcake/Imported
Installing IPAs
Ender:~
root#
ipainstaller
-‐c
TargetApp.ipa
Clean
installa<on
enabled.
Will
not
restore
any
saved
documents
and
other
resources.
Analyzing
TargetApp.ipa...
Installing
TargetApp
(v1.0)...
Installed
TargetApp
(v1.0)
successfully.
Cleaning
old
contents
of
TargetApp...
20. listapps
#!/bin/sh
ls
-‐d
/var/mobile/Applica<ons/*/*.app
|
sort
-‐f
-‐t
/
-‐k
6
Place in /usr/bin/ :
24. Appname.app/
Lets explore an app bundle directory, inside
it are the barebones pieces of the app once
installed:
Ls –alX <appPath/appName.app>
25.
26. $Appname.app/
Other files inside of the bundle (.app/)
• Image files
• Info.plist
• Hard coded certs
• Pre configured SQLite dbs
More on the content of the app directory
later
27. $appguid/
Up one directory from your apps .app folder is its sandbox
directory folders (the apps “container”). Upon 1st run things will
get copied here and the important storage, settings and
caches files live here.
Ls –alX $appPath/
• /var/mobile/Applica'ons/<long
string
here>/
34. Logs, SQLite, Plists, Caches, oh
my!
M2
–
Insecure
Data
Storage
• All of the last slide will be stored by one app or
another.
• Some are OK to store as long as the file is
protected by encryption.
• Others are usually bad to store all the time and
should be handled:
– In memory
– Crypted in the keychain
– On the server exclusively
35. Working with data storage files
• Most data stores can be inspected easily with a text
editor, except:
– Plists
• XML
• Binary
– SQLite Databases
36. Plists
Data storage via:
NSUserDefualts
Tool On Mac
§ Xcode plist editor will read both
formats
§ Plutil will convert a binary plist
to an xml one
Tool On Windows
§ Plist editor Pro will read and
save either format
§ Notepad++
37.
38.
39. SQLite
• iOS supports SQLite for data storage using
NSManagedObject (core data)
• Tools:
– SQLite Database Browser for Win (GUI)
– SQLite on the command line
40. Checking the encryption level of files
• Most files can be assigned a Data Protection API level (NOT
NSuserdefaults)
• This designates when the file is accessible and unencrypted
NSFileProtec'onComplete Encrypted
unless
device
is
on
and
unlocked.
NSFileProtec'onCompleteUnlessOpen Encrypted
unless
device
is
on
and
unlocked,
or
the
file
is
already
open.
NSFileProtec'onCompleteUn'lFirstUserAuthen'ca'on Encrypted
un'l
user
first
unlocks
the
device,
un'l
device
shutdown.
(default
on
iOS
7)
NSFileProtec'onNone Unencrypted
(default
on
iOS
6)
49. Proxy the device
• HTTP Traffic:
• Fire up burp
• Go to you phone and navigate to:
• Settings -> Wi-Fi -> Network name -> HTTP
Proxy -> Manual
• Enter in the IP address of your machine
running Burp and the external port burp is
listening on.
57. iNalyzer
• Static/bin analysis tool
• Cracks app
• Creates doxygen graph out of classdump-z
data
• Offers web gui, finding plists, dbs etc
• Has a cycript console in it’s web gui allowing
you to proxy the web gui via burp for fuzzing.
• https://appsec-labs.com/iNalyzer
59. Introspy
• Runtime hooking and monitoring tool using
mobile substrate
• Will log API calls for crypto, data storage,
network connections , ++ , to an SQLite db.
• Separate tool parses the db, offers some
automated security checks.
• Bad XML parsing, bad cert pinning, bad
keychain usage, pasteboard, http traffic, bad
data storage, crypto flaws.
• http://isecpartners.github.io/Introspy-iOS/
60.
61. idb
• Ruby based GUI Tool to instrument and
automate some testing
• GUI for SSH/USBmux, Log viewer, checks
imported libs, check for ASLR, SS, PIE (otool
checks), pasteboard viewer, URL scheme
fuzzer, keychain
• https://github.com/dmayer/idb/wiki/Manual-
and--Walk-Through
62.
63. iret
• Web based GUI instrumentation tool
• Pretty much the same as idb
• Has a function to create theos tweaks
64.
65. Snoop-it
• Web GUI
• Runtime monitoring, debugging, tracing tool.
• GUI for classes, methods, objects and can
invoke views and methods via web gui.
• https://code.google.com/p/snoop-it/
69. Grep your way to $profit!
• Un-encrypt a ios app and the strings table
can reveal a lot… (clutch works well)
• Classdump-z + otool gives more!
• Whole companies are built on this =(
70. Unencrypting
• Cracking the app to view data:
– Clutchpatched from cydia
– Cracked app to be analyzed ends up in
– /var/root/Documents/Cracked/
71. Grep Your way to $ecurity
hops://github.com/jhaddix/ios_sh/blob/master/ios.sh
Issue
Bin
or
Source
Grep
string
Web
Comms
(secure
or
unsecure)
hop
OR
hops
openUrl,
handleOpenURL,
NSUrl,
writeToUrl,
CFStream,
NSStreamin
Weak
Cert
management
or
SSL
setAllowsAnyHTTPSCer'ficate|kCFStreamSSLAllowsExpiredRoots
|kCFStreamSSLAllowsExpiredCer'ficates|
kCFStreamSSLAllowsAnyRoot
Exploit
mi'ga'ons
(PIE,
StackProt,
ARC)
otool
-‐Ivm
"$app_binary_path"
|grep
stack_chk
otool
-‐hvm
"$app_binary_path”
|
grep
PIE
otool
-‐Ivm
"$app_binary_path"
|
grep
_objc
|
sort
|
sed
-‐n
'1,10p
72. Grep Your way to $ecurity
Issue
Bin
or
Source
grep
string
Possible
Format
string
bugs
grep
-‐i
"NSLog
|stringWithFormat|initWithFormat|
appendFormat|informa'veTextWithFormat|
predicateWithFormat|stringByAppendingFormat|
alertWithMessageText|NSExcep'on
+format|
NSRunAlertPanel"
|
grep
"%@"
App
checks
for
JB
status
or
has
JB
protec'on
(common
ones)
grep
"^/bin/bash$|^/Applica'ons/Cydia.app$|/cydia.log$"
Pasteboard
enabled
generalpasteboard
SQL
from
dynamic
input
(possible
client/server
SQLi)
grep
-‐i
"^begin
transac'on|^select
.*
from
|^update
.*
set
|^delete
from
|^insert
into
"
|
grep
"%@"
|
grep
-‐v
"SELECT
id,access_token
FROM
test_account
WHERE
app_id"
Registered
URL
Schemes
(for
info
only)
grep
-‐oE
"[a-‐zA-‐Z][a-‐zA-‐Z0-‐9+-‐.]*://[^[:space:]<>#"']
+"|grep
-‐v
"hop://|hops://|radr://”
73. Grep Your way to $Privacy
Issue
Bin
+
Source
Privacy
API’s
App
uses
address
book
ABAddressBookCopyArrayOfAllPeople|ABAddressBook
App
uses
ad
or
analy'cs
(some)
GADBannerView|GADRequest|GADInters''al|
kGADAd|GADSearch|GoogleConversionPin|adwhirl
App
has
logging
enabled
_NSLog$
App
uses
Bluetooth
GKSession|MCSession|CBCentralManager
App
uses
Calendar
EKEventStore
Possible
Weak
or
Guessable
Hash/
crypto
CC_MD2|CC_MD4|CC_MD5|CC_SHA1|
kCCAlgorithmDES
App
uses
geoloaca'on
clloca'on
App
stores
photos
world
accessible
UIImageWriteToSavedPhotosAlbum
App
uses
Push
No'fica'ons
registerForRemoteNo'fica'onTypes
74. Grep Your way to $Privacy
Issue
Bin
+
Source
Privacy
API’s
App
uses
address
book
ABAddressBookCopyArrayOfAllPeople|ABAddressBook
App
uses
ad
or
analy'cs
(some)
GADBannerView|GADRequest|GADInters''al|
kGADAd|GADSearch|GoogleConversionPin|adwhirl
App
has
logging
enabled
_NSLog$
App
uses
Bluetooth
GKSession|MCSession|CBCentralManager
App
uses
Calendar
EKEventStore
Possible
Weak
or
Guessable
Hash/
crypto
CC_MD2|CC_MD4|CC_MD5|CC_SHA1|
kCCAlgorithmDES
App
uses
geoloaca'on
clloca'on
App
stores
photos
world
accessible
UIImageWriteToSavedPhotosAlbum
App
uses
Push
No'fica'ons
registerForRemoteNo'fica'onTypes
75. Bin Analysis w/Hopper
• http://www.hopperapp.com/
DVIA Challenges
• Binary Patching
• Broken Cryptography
• Security Via Untrusted Inputs
77. Client Side Vulns
Vuln
Notes
Format
String
Injec'on
Image
Cache
Disclosure
Saving
priv
photos
to
the
global
photoroll
instead
of
sandbox
Client
side
SQL
injec'on
Low
risk
Sensi've
data
over
unauthen'cated
Web
Service
Encryp'on
Using
ECB
Mode
Failure
to
Validate
Source
Applica'on
from
openURL
General
Pasteboard
Use
iOS
Keyboard
Cache
Exposure
Weak
Cryptographic
Hash:
Hardcoded
Salt
Keychain
entry
unencrypted
78. Client Side Vulns
Vuln
Notes
Cryptographic
Keys
Stored
in
Client
Usually
in
binary
or
sqlitedb
Applica'on
Compiled
Without
Stack-‐
Smashing
Protec'on
Found
using
otool
Applica'on
Compiled
Without
PIE
Protec'on
Found
using
otool
Applica'on
Creden'als
Stored
Clear
Text
in
Memory
Applica'on
Logs
Leak
Sensi've
Info
(NSLog)
Found
by
monitoring
ASL
Sensi've
data
storage
using
a
binary
sqlite
database
(NSManagedObjects)
Sensi've
data
storage
using
binary
plists
(NSUserDefaults)
Authoriza'on
Bypass
On
pin/pass
screens,
Usually
using
cycript
79. Transport and Web Vulns
Vuln
Notes
No
SSL
Preoy
much
all
sensi've
info
should
be
over
HTTPS
Weak
Cer'ficate
Management
See
slide
54
HTTPS
can
be
downgraded
to
HTTP
Anyone
in
the
middle
can
use
SSLstrip
to
do
this,
or
burp
-‐
hop://goo.gl/DnP4GA
Account
Enumera'on
via
Response
Usernames
mostly
Sensi've
data
sent
to
ad
or
analy'cs
endpoint
(hop
or
hops)
Baking
in
a
ad/analy'cs
framework
can
o}en
do
things
devs
don’t
even
know
about
Arbitrary
file
upload
Self
explanatory;
try
old
tricks
here
-‐
hop://goo.gl/HqMDeY
Web
Service
Data
Exposure
A
lot
of
these
mobile
WS
will
return
a
ton
data,
and
the
app
will
only
parse
out
some
of
it.
An
aoacker
will
get
it
all.
80. Transport and Web Vulns
Vuln
SSL/Cert
Pinning
implementa'on
Defeatable
sslkillswitch
CSRF
Open
Redirec'on
XML
En'ty
Expansion
Injec'on
Weak
Serverside
SSL
Implementa'on
SSLabs
or
SSLAudit
-‐
hop://
goo.gl/5CtFBq
Logout
does
not
destroy
session
serverside
(cookie
reuse
a}er
logout)
81. Transport and Web Vulns
Vuln
Applica'on
accepts
message
switch
(GET/POST)
Verbose
Errors
SQL
Injec'on
Burp
scanner
or
Generic_SQLi.txt
fuzz
list
XSS
Creden'als/session
tokens
Sent
In
URL
Query
String
Lack
of
Account
Lockout
Web
service
does
not
use
correct
content
type
Make
sure
all
web
service
calls
return
non
javascript
executable
content
types
UDID
Leakage
Directory
Traversal
Logout
Does
Not
Clear
Saved
Creden'als
/
Destroy
Session
Copy
cookies,
logout,
replace
cookies
82. Things we didn’t talk about due
to time constraints:
1. Manually
decryp'ng
apps
2. Classdump-‐z
3. Otool
4. MobileSubstrate
or
Theos
or
CaptainHook
frameworks
5. Flex
patching
for
beginners
6. XML
Parsing
vulns
7. KB
cache
8. Snapshot
caching
9. Copy
paste
buffer
/
UI
pasteboard
10. URL
Scheme
fuzzing
(can
be
done
easily
with
idb)
11. URL
Scheme
spoofing
12. Capturing
non-‐hop(s)
traffic
13. Cookie
parsing
14. Filemon
15. Sqlite
injec'on
16. Shared
keychain
access
86. Sources:
Sep
12,
2013
-‐
How
to
Assess
and
Secure
iOS
apps
by
NCC
Group
May
2,
2012
-‐
iOSApplica'on
(In)Securityby
Dominic
Chell
October
2,
2012
–
iOS
Security
by
Apple
April
21,
2011
-‐
Secure
Development
on
iOS
by
David
Thiel
(NCC
Group)
Aug
11,
2011
–
Audi‚ng
iPhone
and
iPad
applica'ons
by
Ilja
Van
Sprundel
iOS
Reverse
engineering
blog
content
by
Prateek
Gianchandani
of
Highal'tudehacks.com
Tool
Demos:
Daniel
Mayer
–
idb
Sa'sh
Bomse‚
-‐
FileDP
Auxiliary
reading:
My
Old
class
hops://dl.dropboxusercontent.com/u/37776965/Sources_external.rar